CSRF CAPTCHA: Is it Secure?

TL;DR

Yes, CSRF CAPTCHAs can be defeated, though it’s not always easy. Attackers can bypass them using techniques like pre-computed responses, automated tools, or exploiting vulnerabilities in the CAPTCHA implementation itself. Stronger security measures like SameSite cookies and synchroniser tokens are generally more effective against CSRF.

Understanding CSRF & CAPTCHAs

CSRF (Cross-Site Request Forgery) attacks trick a user’s browser into performing unwanted actions on a trusted site where they’re already logged in. A CAPTCHA is often added to sensitive forms as an extra layer of security, requiring the user to prove they are human before submitting.

How CSRF CAPTCHAs Can Be Bypassed

1. Pre-computed Responses:
• If the CAPTCHA challenge is predictable (e.g., always the same question or a limited set of questions), an attacker can pre-compute the correct answers and embed them in their malicious script.
• This works best when the CAPTCHA doesn’t change frequently enough.
2. Automated Tools & OCR:
• Attackers can use automated tools to solve image-based CAPTCHAs using Optical Character Recognition (OCR) technology. The accuracy of OCR has improved significantly, making this a viable attack vector for simpler CAPTCHAs.
• More sophisticated CAPTCHAs with distorted images or audio challenges are harder to break but not impossible.
3. Exploiting CAPTCHA Implementation Flaws:
• Poorly implemented CAPTCHAs can have vulnerabilities, such as predictable session IDs or weak validation logic.
• For example, if the CAPTCHA solution is stored client-side (e.g., in a hidden form field), an attacker can simply copy it and reuse it.
4. Social Engineering:
• An attacker might trick a user into solving the CAPTCHA on their own, then steal the resulting token or submit the form themselves.

Example of a Vulnerable Implementation (Client-Side Token)

Imagine this simplified PHP code:

  
  
  Submit

In this example, the CAPTCHA token is stored client-side in a hidden form field. An attacker can easily view the source code of the page and copy the token to reuse it.

Better CSRF Protection Methods

1. Synchroniser Tokens (CSRF Tokens):
• Generate a unique, random token for each user session. Include this token in all forms and AJAX requests.
• On form submission, verify that the submitted token matches the one stored on the server for that user’s session. This is the standard CSRF defense.
2. SameSite Cookies:
• Set the SameSite attribute of your cookies to Strict or Lax. This prevents the browser from sending cookies with cross-site requests, mitigating CSRF attacks.

• Set-Cookie: sessionid=value; SameSite=Strict

3. Double Submit Cookie Pattern:
• Generate a random value and set it as both a cookie and in a hidden form field. On submission, verify that the cookie value matches the form field value.
4. Checking the Origin Header:
• Verify that the Origin header of incoming requests matches your domain. However, this isn’t foolproof as some browsers don’t send the Origin header.

Conclusion

While CSRF CAPTCHAs can add a small layer of security, they are not a reliable solution on their own. Attackers have various methods to bypass them. Implementing robust CSRF protection mechanisms like synchroniser tokens and SameSite cookies is crucial for securing your web applications against cyber security threats.